Google Git
Sign in
apache / ofbiz-plugins / refs/tags/release17.12.07
tag50d3e3b98e4d9b07cacb1f80b8a2381ab3befee8
taggerJacopo Cappellato <jacopo.cappellato@gmail.com>Sun Apr 25 14:45:34 2021 +0200
object32a310ca143717efc9f6d1167450b3e5a508ee14 
Tag release 17.12.07
commit32a310ca143717efc9f6d1167450b3e5a508ee14[log] [tgz]
authorJacques Le Roux <jacques.le.roux@les7arts.com>Mon Mar 29 13:13:55 2021 +0200
committerJacques Le Roux <jacques.le.roux@les7arts.com>Mon Mar 29 13:24:08 2021 +0200
tree250226b24814abecef0990b7b5f26282201fc744
parent63df767bee7088605c45eab68882f152fe0b9e27 [diff]
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)

The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.

Here is the email content:

    After the recent fix for the CVE-2021-26295[1] we discussed with the security
    team about the opportunity need to comment out the SOAP and HTTP engines
    like we did in the past for RMI[2], this obviously for security reason.

    [1] OFBIZ-12167 "Adds a blacklist (to be
    renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
    [2] OFBIZ-6942 "Comment out RMI related
    code because of the Java deserialization issue [CVE-2016-2170] "

I just put a small comment in webtools and scrumm controllers, it should be
enough.

The tests pass

Conflicts handled by hand
  scrum/servicedef/services.xml
2 files changed
tree: 250226b24814abecef0990b7b5f26282201fc744
  1. .github/
  2. assetmaint/
  3. bi/
  4. birt/
  5. cmssite/
  6. ebay/
  7. ebaystore/
  8. ecommerce/
  9. example/
  10. exampleext/
  11. ldap/
  12. lucene/
  13. msggateway/
  14. multiflex/
  15. myportal/
  16. passport/
  17. pricat/
  18. projectmgr/
  19. scrum/
  20. solr/
  21. webpos/
  22. .gitignore
  23. .project
  24. LICENSE
  25. NOTICE